<!doctype html>



  


<html class="theme-next mist use-motion" lang="zh-Hans">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>



<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css" />




  
  
  
  

  
    
    
  

  

  

  

  

  
    
    
    <link href="//fonts.googleapis.com/css?family=Lato:300,300italic,400,400italic,700,700italic&subset=latin,latin-ext" rel="stylesheet" type="text/css">
  






<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css" />

<link href="/css/main.css?v=5.1.0" rel="stylesheet" type="text/css" />


  <meta name="keywords" content="CC攻击,SYN攻击,ACK攻击," />





  <link rel="alternate" href="/atom.xml" title="Da'sBlog" type="application/atom+xml" />




  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=5.1.0" />






<meta name="description" content="三次握手的过程及相关概念TCP/IP协议使用三次握手来建立连接，过程如下：1、第一次握手，客户端发送数据包syn到服务器，并进入SYN_SEND状态，等待回复2、第二次握手，服务器发送数据报syn/ack，给客户机，并进入SYN_RECV状态，等待回复3、第三次握手，客户端发送数据包ACK给客户机，发送完成后，客户端和服务器进入ESTABLISHED状态，链接建立完成 三次握手协议中，服务器维护一">
<meta name="keywords" content="CC攻击,SYN攻击,ACK攻击">
<meta property="og:type" content="article">
<meta property="og:title" content="使用iptables应对SYN攻击,CC攻击,ACK攻击[转]">
<meta property="og:url" content="http://sunhao.win/articles/safe-iptables.html">
<meta property="og:site_name" content="Da&#39;sBlog">
<meta property="og:description" content="三次握手的过程及相关概念TCP/IP协议使用三次握手来建立连接，过程如下：1、第一次握手，客户端发送数据包syn到服务器，并进入SYN_SEND状态，等待回复2、第二次握手，服务器发送数据报syn/ack，给客户机，并进入SYN_RECV状态，等待回复3、第三次握手，客户端发送数据包ACK给客户机，发送完成后，客户端和服务器进入ESTABLISHED状态，链接建立完成 三次握手协议中，服务器维护一">
<meta property="og:updated_time" content="2017-02-24T08:02:14.406Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="使用iptables应对SYN攻击,CC攻击,ACK攻击[转]">
<meta name="twitter:description" content="三次握手的过程及相关概念TCP/IP协议使用三次握手来建立连接，过程如下：1、第一次握手，客户端发送数据包syn到服务器，并进入SYN_SEND状态，等待回复2、第二次握手，服务器发送数据报syn/ack，给客户机，并进入SYN_RECV状态，等待回复3、第三次握手，客户端发送数据包ACK给客户机，发送完成后，客户端和服务器进入ESTABLISHED状态，链接建立完成 三次握手协议中，服务器维护一">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Mist',
    sidebar: {"position":"right","display":"post"},
    fancybox: true,
    motion: true,
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="http://sunhao.win/articles/safe-iptables.html"/>





  <title> 使用iptables应对SYN攻击,CC攻击,ACK攻击[转] | Da'sBlog </title>
</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  





  <script type="text/javascript">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?b8432f1a5c5c27d6783c25569df4b270";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>










  
  
    
  

  <div class="container one-collumn sidebar-position-right page-post-detail ">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-meta ">
  

  <div class="custom-logo-site-title">
    <a href="/"  class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <span class="site-title">Da'sBlog</span>
      <span class="logo-line-after"><i></i></span>
    </a>
  </div>
    
      <h1 class="site-subtitle" itemprop="description"></h1>
    
</div>

<div class="site-nav-toggle">
  <button>
    <span class="btn-bar"></span>
    <span class="btn-bar"></span>
    <span class="btn-bar"></span>
  </button>
</div>
<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">


        
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br />
            
            首页
          </a>
        </li>
        


      
        
        <li class="menu-item menu-item-categories">


        
          <a href="/categories" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br />
            
            分类
          </a>
        </li>
        


      
        
        <li class="menu-item menu-item-archives">


        
          <a href="/archives" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br />
            
            归档
          </a>
        </li>
        


      
        
        <li class="menu-item menu-item-compass">


        
          <a href="/2017/01/11/compass" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th-list"></i> <br />
            
            compass中文手册
          </a>
        </li>
        


      

      
        <li class="menu-item menu-item-search">
          
            <a href="javascript:;" class="popup-trigger">
          
            
              <i class="menu-item-icon fa fa-search fa-fw"></i> <br />
            
            搜索
          </a>
        </li>
      
    </ul>
  

  
    <div class="site-search">
      
  <div class="popup">
 <span class="search-icon fa fa-search"></span>
 <input type="text" id="local-search-input">
 <div id="local-search-result"></div>
 <span class="popup-btn-close">close</span>
</div>


    </div>
  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal " itemscope itemtype="http://schema.org/Article">
  <link itemprop="mainEntityOfPage" href="http://sunhao.win/articles/safe-iptables.html">

  <span style="display:none" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <meta itemprop="name" content="Sun Hao">
    <meta itemprop="description" content="">
    <meta itemprop="image" content="/images/avatar.jpg">
  </span>

  <span style="display:none" itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
    <meta itemprop="name" content="Da'sBlog">
    <span style="display:none" itemprop="logo" itemscope itemtype="http://schema.org/ImageObject">
      <img style="display:none;" itemprop="url image" alt="Da'sBlog" src="">
    </span>
  </span>

    
      <header class="post-header">

        
        
          <h2 class="post-title" itemprop="name headline">
            
            
              
                使用iptables应对SYN攻击,CC攻击,ACK攻击[转]
              
            
          </h2>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2017-02-24T14:58:05+08:00">
                2017-02-24
              </time>
            

            

            
          </span>

          
            <span class="post-category" >
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/网络安全/" itemprop="url" rel="index">
                    <span itemprop="name">网络安全</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
              <span class="post-comments-count">
                <span class="post-meta-divider">|</span>
                <span class="post-meta-item-icon">
                  <i class="fa fa-comment-o"></i>
                </span>
                <a class="cloud-tie-join-count" href="/articles/safe-iptables.html#comments" itemprop="discussionUrl">
                  <span class="post-comments-count join-count" itemprop="commentCount"></span>
                </a>
              </span>
            
          

          
          

          
            <span class="post-meta-divider">|</span>
            <span class="page-pv"><i class="fa fa-file-o">本文总阅读量</i>
            <span class="busuanzi-value" id="busuanzi_value_page_pv" ></span>次
            </span>
          

          

          

        </div>
      </header>
    


    <div class="post-body" itemprop="articleBody">

      
      

      
        <p>三次握手的过程及相关概念<br>TCP/IP协议使用三次握手来建立连接，过程如下：<br>1、第一次握手，客户端发送数据包syn到服务器，并进入SYN_SEND状态，等待回复<br>2、第二次握手，服务器发送数据报syn/ack，给客户机，并进入SYN_RECV状态，等待回复<br>3、第三次握手，客户端发送数据包ACK给客户机，发送完成后，客户端和服务器进入ESTABLISHED状态，链接建立完成</p>
<p>三次握手协议中，服务器维护一个等待队列，收到一个syn包就在队列中建立一个条目，并分配一定的资源。对应的每一个条目表示已经收到一个syn请 求，并已经回复syn/ack，服务器上对应的连接已经进入SYN_RECV状态，等待客户端响应，收到客户端的响应包以后，该连接进入 ESTABLISHED状态，队列中对应的条目被删除。<br>backlog参数：设定等待队列的最大数目。对应内核参数：net.ipv4.tcp_max_syn_backlog = 1024<br>syn-ack重传次数：服务器发送syn/ack包，如果没有收到客户端的相应，就会重传syn/ack，超过一定时间之后会进行第二次重传，超过设定 次数以后将该条目从队列中删除。每次重传的间隔时间并不确定。对应的内核参数：net.ipv4.tcp_synack_retries = 5<br>syn重传次数：概念和syn/ack重传次数类似，对应的内核参数：net.ipv4.tcp_syn_retries = 5<br>等待存活时间：指等待队列的条目存活时间，即从服务器收到syn包到确认这个包无效的最长时间，该时间是所有重传包请求的最长等待时间<br><a id="more"></a><br>什么是SYN 攻击</p>
<p>syn攻击属于DDOS攻击中的一种，利用TCP/IP的缺陷进行网络攻击，可以使用很小的资源取得十分显著的效果。其基本原理如下：<br>服务器收到客户端的syn包，之后进入SYN_RECV状态，服务器的等待队列中增加一个条目，服务器未收到客户端的确认包，进行重传，一直到超时之后， 该条目从未链接队列中删除。客户端不断地发送syn包，而不响应来自服务器的syn/ack，等待队列的条目迅速增长，最后服务器的等待队列达到最大数 目，之后就不能再接受新的连接，一直到链接超时才从队列中删除对应的条目。配合ip地址欺骗技术，该方法可以取得十分良好的效果，基本上在攻击期间，服务 器将不能给正常的用户提供服务。这个攻击办法利用了TCP/IP协议的缺陷，攻击的目标不止于服务器，任何网络设备，只要开启了网络服务器，都可能会受到 这种攻击，导致处理器资源被大量占用，内存被用完，大量队列等待处理，针对网络设备的攻击往往会导致整个网络瘫痪。</p>
<p>如何减小SYN攻击的影响</p>
<p>1、修改等待数：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"># sysctl -w net.ipv4.tcp_max_syn_backlog=2048</div></pre></td></tr></table></figure></p>
<p>2、启用syncookies：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">#sysctl -w net.ipv4.tcp_syncookies=1</div></pre></td></tr></table></figure></p>
<p>启用syncookies可以大幅减小syn攻击带来的影响，但是却引入了新的安全缺陷</p>
<p>syncookie基本原理是：仔细处理连接的初始序列号而不是随机选择一个序列号。一旦server接收到SYN报文，将关键信息仔细编码并作为 state存储在SYN队列中。这种经过编码的信息是用一个秘钥进行加密hash，形成SYN-ACK报文中的序列号并发送给client。在合法握手的 第三个报文中，即从client返回给server的ACK报文中，在acknowledgment number字段中包含该序列号(加1). 这样，open双向连接所必须的所有信息又返回给server，而server在三次握手完成之前不必维护state。syn-cookies解决了 SYN的基本问题，但是随之带来一个新的问题，就是服务器需要对收到的ACK报文进行计算，提高了三次握手需要的系统资源。一种新的攻击方式随之而来，即 ACK攻击，发送大量的ACK数据报，导致服务器忙于计算最终导致服务器停止相应。Linux上的实际应用中，只有等待数被占满的时候才会启用 syncookies的方式（syncookies摘自网文）</p>
<p>3、修改重试次数<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">#sysctl -w net.ipv4.tcp_syn_retries = 0</div></pre></td></tr></table></figure></p>
<p>重传次数设置为0，只要收不到客户端的响应，立即丢弃该连接，默认设置为5次<br>4、使用iptables限制单个地址的并发连接数量：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">#iptables -t filter -A INPUT -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT</div></pre></td></tr></table></figure></p>
<p>5、使用iptables限制单个c类子网的并发链接数量：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">#iptables -t filter -A INPUT -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT</div></pre></td></tr></table></figure></p>
<p>6、限制单位时间内的连接数：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">#iptables -t filter -A INPUT -p tcp --dport 80 -m --state --state NEW -m recent --set --name access --resource</div><div class="line"></div><div class="line">#iptables -t filter -A INPUT -p tcp --dport 80 -m --state --state NEW -m recent --update --seconds 60 --hitcount 30 --name access -j DROP</div></pre></td></tr></table></figure></p>
<p>或者使用如下两条策略<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">#iptables -t filter -A INPUT -p tcp --dport 80 -m --state --syn -m recent --set</div><div class="line"></div><div class="line">#iptables -t filter -A INPUT -p tcp --dport 80 -m --state --syn -m recent --update --seconds 60 --hitcount 30 -j DROP</div></pre></td></tr></table></figure></p>
<p>7、为了取得更好的效果，需要修改/etc/modprobe.conf</p>
<p>options ipt_recent ip_list_tot=1000 ip_pkt_list_tot=60 记录10000个地址，每个地址60个包 # ip_list_tot最大为8100,超过这个数值会导致iptables错误<br>8、限制单个地址最大连接数：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">#iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROP</div></pre></td></tr></table></figure></p>
<p>应对 ACK攻击</p>
<p>ACK 攻击是针对syn-cookies而发产生的，通过发送大量的ACK数据报，使目标服务器忙于计算，达到拒绝服务的目的，使用iptables对发起 ACK攻击的地址进行限制<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">#iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROP</div></pre></td></tr></table></figure></p>
<p>限制并发连接数不大于50<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">#iptables -t filter -A INPUT -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK ACK -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT</div></pre></td></tr></table></figure></p>
<p>限制并发ACK不大于50</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">#iptables -t filter -A INPUT -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK ACK -m recent --set --name drop</div></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">#iptables -t filter -A INPUT -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK ACK -m recent --update --seconds 60 --hitcount 30 -j DROP</div></pre></td></tr></table></figure>
<p>一分钟内大于30次的连接全部丢弃<br>应对CC攻击</p>
<p>普通的CC攻击特点是所有的连接都是正常的完整的连接，这样的连接一般的防火墙是很难预防的。但是既然是网络攻击必然也具有网络攻击的共同特点，也 就是每一个攻击源都会发起尽量多的连接，因此我们仍然可以使用限制单个地址并发链接数量的办法来实现对CC攻击的抵御。具体命令同上</p>
<p>webcc，想必之下似乎更加难以预防，但是由于所有的访问都是由相同的一个或几个网站中转而来，这些访问请求的http_reffer都会带有这 些中转站的地址。我们只要在web服务器上设置http_reffer过滤即可大幅减小webcc攻击的影响，具体的设置这里就略过不表了</p>
<p>附：如何为RHEL5增加connlimit模块<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div><div class="line">46</div><div class="line">47</div><div class="line">48</div><div class="line">49</div><div class="line">50</div><div class="line">51</div><div class="line">52</div><div class="line">53</div><div class="line">54</div><div class="line">55</div><div class="line">56</div><div class="line">57</div><div class="line">58</div><div class="line">59</div><div class="line">60</div><div class="line">61</div><div class="line">62</div><div class="line">63</div><div class="line">64</div><div class="line">65</div><div class="line">66</div><div class="line">67</div><div class="line">68</div><div class="line">69</div><div class="line">70</div><div class="line">71</div><div class="line">72</div><div class="line">73</div><div class="line">74</div><div class="line">75</div><div class="line">76</div><div class="line">77</div><div class="line">78</div><div class="line">79</div><div class="line">80</div><div class="line">81</div><div class="line">82</div><div class="line">83</div><div class="line">84</div><div class="line">85</div><div class="line">86</div><div class="line">87</div><div class="line">88</div><div class="line">89</div><div class="line">90</div><div class="line">91</div><div class="line">92</div><div class="line">93</div><div class="line">94</div><div class="line">95</div><div class="line">96</div><div class="line">97</div><div class="line">98</div><div class="line">99</div><div class="line">100</div><div class="line">101</div><div class="line">102</div><div class="line">103</div><div class="line">104</div><div class="line">105</div><div class="line">106</div><div class="line">107</div><div class="line">108</div><div class="line">109</div><div class="line">110</div><div class="line">111</div><div class="line">112</div><div class="line">113</div><div class="line">114</div><div class="line">115</div><div class="line">116</div><div class="line">117</div><div class="line">118</div><div class="line">119</div><div class="line">120</div><div class="line">121</div><div class="line">122</div><div class="line">123</div><div class="line">124</div><div class="line">125</div><div class="line">126</div><div class="line">127</div><div class="line">128</div><div class="line">129</div><div class="line">130</div><div class="line">131</div><div class="line">132</div><div class="line">133</div><div class="line">134</div><div class="line">135</div><div class="line">136</div><div class="line">137</div><div class="line">138</div><div class="line">139</div><div class="line">140</div><div class="line">141</div><div class="line">142</div><div class="line">143</div><div class="line">144</div><div class="line">145</div><div class="line">146</div><div class="line">147</div><div class="line">148</div><div class="line">149</div><div class="line">150</div><div class="line">151</div><div class="line">152</div><div class="line">153</div><div class="line">154</div><div class="line">155</div><div class="line">156</div><div class="line">157</div><div class="line">158</div><div class="line">159</div><div class="line">160</div><div class="line">161</div><div class="line">162</div><div class="line">163</div><div class="line">164</div><div class="line">165</div><div class="line">166</div><div class="line">167</div><div class="line">168</div><div class="line">169</div><div class="line">170</div><div class="line">171</div><div class="line">172</div><div class="line">173</div><div class="line">174</div><div class="line">175</div><div class="line">176</div><div class="line">177</div><div class="line">178</div><div class="line">179</div><div class="line">180</div><div class="line">181</div><div class="line">182</div><div class="line">183</div><div class="line">184</div><div class="line">185</div><div class="line">186</div><div class="line">187</div><div class="line">188</div><div class="line">189</div></pre></td><td class="code"><pre><div class="line">#wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2</div><div class="line">#wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2</div><div class="line">#</div><div class="line">bunzip2 iptables-1.4.0.tar.bz2 </div><div class="line">#</div><div class="line">tar xvf iptables-1.4.0.tar </div><div class="line"># </div><div class="line">bunzip2 patch-o-matic-ng-20080214.tar.bz2 </div><div class="line"># tar xf patch-o-matic-ng-20080214.tar </div><div class="line">#</div><div class="line">cd patch-o-matic-ng-20080214</div><div class="line">下载connlimit模块</div><div class="line"></div><div class="line"># export KERNEL_DIR=/usr/src/kernels/2.6.18-8.el5-i686/ </div><div class="line"># export IPTABLES_DIR=/root/iptables-1.4.0</div><div class="line"># ./runme --download</div><div class="line"></div><div class="line">Successfully downloaded external patch geoip</div><div class="line">Successfully downloaded external patch condition</div><div class="line">Successfully downloaded external patch IPMARK</div><div class="line">Successfully downloaded external patch ROUTE</div><div class="line">Successfully downloaded external patch connlimit</div><div class="line">Successfully downloaded external patch ipp2p</div><div class="line">Successfully downloaded external patch time</div><div class="line">./patchlets/ipv4options exists and is not external</div><div class="line">./patchlets/TARPIT exists and is not external</div><div class="line">Failed to get http://www.intra2net.com/de/produkte/opensource/ipt_account//index, skipping..</div><div class="line">Successfully downloaded external patch pknock</div><div class="line">Loading patchlet definitions........................ done</div><div class="line"></div><div class="line"></div><div class="line">Excellent! Source trees are ready for compilation.</div><div class="line">把connlimit应用到内核</div><div class="line"></div><div class="line"># ./runme connlimit</div><div class="line">Loading patchlet definitions........................ done</div><div class="line">Welcome to Patch-o-matic ($Revision: 6736 $)!</div><div class="line"></div><div class="line">Kernel:</div><div class="line">2.6.18, /usr/src/kernels/2.6.18-8.el5-i686/</div><div class="line">Iptables: 1.4.0, /root/iptables-1.4.0/</div><div class="line">Each patch is a new feature: many have minimal impact, some do not.</div><div class="line">Almost every one has bugs, so don&apos;t apply what you don&apos;t need!</div><div class="line">-------------------------------------------------------</div><div class="line">Already applied: </div><div class="line">Testing connlimit... not applied</div><div class="line">The connlimit patch:</div><div class="line"></div><div class="line">Author: Gerd Knorr &lt;kraxel@bytesex.org&gt;</div><div class="line"></div><div class="line">Status: ItWorksForMe[tm]</div><div class="line"></div><div class="line">This adds an iptables match which allows you to restrict the</div><div class="line">number of parallel TCP connections to a server per client IP address</div><div class="line">(or address block).</div><div class="line"></div><div class="line">Examples:</div><div class="line"></div><div class="line"># allow 2 telnet connections per client host</div><div class="line">iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT</div><div class="line"></div><div class="line"># you can also match the other way around:</div><div class="line">iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT</div><div class="line"></div><div class="line"># limit the nr of parallel http requests to 16 per class C sized</div><div class="line"># network (24 bit netmask)</div><div class="line">iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \</div><div class="line"></div><div class="line">--connlimit-mask 24 -j REJECT</div><div class="line">-----------------------------------------------------------------</div><div class="line">Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y</div><div class="line"></div><div class="line">Excellent! Source trees are ready for compilation.</div><div class="line">内核编译</div><div class="line"># make oldconfig</div><div class="line">scripts/kconfig/conf -o arch/i386/Kconfig</div><div class="line">*</div><div class="line">* Linux Kernel Configuration</div><div class="line">*</div><div class="line">*</div><div class="line">* Code maturity level options</div><div class="line">*</div><div class="line">Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?] y</div><div class="line"></div><div class="line">*</div><div class="line">* General setup</div><div class="line">………………………………………………………………………………………………………………………………………………………..</div><div class="line"></div><div class="line"></div><div class="line"></div><div class="line">ARP tables support (IP_NF_ARPTABLES) [M/n/?] m</div><div class="line"></div><div class="line">ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m</div><div class="line"></div><div class="line">ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m</div><div class="line"></div><div class="line">Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m</div><div class="line">提示加入了connlimit的选项，问使用哪一种模式，编译进内核还是模块，输入“m”，编译为模块</div><div class="line"></div><div class="line">CRC16 functions (CRC16) [M/n/y/?] m</div><div class="line">CRC32 functions (CRC32) [Y/?] y</div><div class="line">CRC32c (Castagnoli, et al) Cyclic Redundancy-Check (LIBCRC32C) [Y/?] y</div><div class="line">#</div><div class="line"># configuration written to .config</div><div class="line">#</div><div class="line">编译模块</div><div class="line"></div><div class="line"># make modules_prepare</div><div class="line">scripts/kconfig/conf -s arch/i386/Kconfig</div><div class="line"></div><div class="line">CHK</div><div class="line">include/linux/version.h</div><div class="line"></div><div class="line">CHK</div><div class="line">include/linux/utsrelease.h</div><div class="line"></div><div class="line">HOSTCC</div><div class="line">scripts/genksyms/genksyms.o</div><div class="line"></div><div class="line">HOSTCC</div><div class="line">scripts/genksyms/lex.o</div><div class="line"></div><div class="line">HOSTCC</div><div class="line">scripts/genksyms/parse.o</div><div class="line"></div><div class="line">HOSTLD</div><div class="line">scripts/genksyms/genksyms</div><div class="line"></div><div class="line">CC</div><div class="line">scripts/mod/empty.o</div><div class="line"></div><div class="line">MKELF</div><div class="line">scripts/mod/elfconfig.h</div><div class="line"></div><div class="line">HOSTCC</div><div class="line">scripts/mod/file2alias.o</div><div class="line"></div><div class="line">HOSTCC</div><div class="line">scripts/mod/modpost.o</div><div class="line"></div><div class="line">HOSTCC</div><div class="line">scripts/mod/sumversion.o</div><div class="line"></div><div class="line">HOSTLD</div><div class="line">scripts/mod/modpost</div><div class="line">[root@localhost 2.6.18-8.el5-i686]# mv net/ipv4/netfilter/Makefile </div><div class="line">net/ipv4/netfilter/Makefile.bak</div><div class="line">备份原来的文件</div><div class="line"></div><div class="line"># make M=net/ipv4/netfilter/</div><div class="line"></div><div class="line">LD</div><div class="line">net/ipv4/netfilter/built-in.o</div><div class="line"></div><div class="line">CC [M]</div><div class="line">net/ipv4/netfilter/ipt_connlimit.o</div><div class="line"></div><div class="line">Building modules, stage 2.</div><div class="line"></div><div class="line">MODPOST</div><div class="line"></div><div class="line">CC</div><div class="line">net/ipv4/netfilter/ipt_connlimit.mod.o</div><div class="line"></div><div class="line">LD [M]</div><div class="line">net/ipv4/netfilter/ipt_connlimit.ko</div><div class="line"></div><div class="line">#</div><div class="line">cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/</div><div class="line"># chmod 744 /lib/modules/2.6.18-8.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko </div><div class="line"></div><div class="line"># depmod -a</div><div class="line">[root@localhost 2.6.18-8.el5-i686]# modprobe ipt_connlimit</div><div class="line"># lsmod |grep conn</div><div class="line">ip_conntrack_netbios_ns</div><div class="line">6977</div><div class="line">0 </div><div class="line">ipt_connlimit</div><div class="line">7680</div><div class="line">6 </div><div class="line">ip_conntrack</div><div class="line">53153</div><div class="line">3 ip_conntrack_netbios_ns,xt_state,ipt_connlimit</div><div class="line">nfnetlink</div><div class="line">10713</div><div class="line">1 ip_conntrack</div><div class="line">x_tables</div><div class="line">17349</div><div class="line">8 ipt_recent,xt_state,ipt_REJECT,ipt_connlimit,ip_tables,ip6t_REJECT,xt_tcpudp,ip6_tables</div></pre></td></tr></table></figure></p>
<p>好了，模块安装完毕。可以使用connlimit策略了</p>

      
    </div>

    <div>
      
        

      
    </div>

    <div>
      
        

      
    </div>


    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/CC攻击/" rel="tag"># CC攻击</a>
          
            <a href="/tags/SYN攻击/" rel="tag"># SYN攻击</a>
          
            <a href="/tags/ACK攻击/" rel="tag"># ACK攻击</a>
          
        </div>
      

      
        
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/articles/safe-cc.html" rel="next" title="服务器网站被CC攻击的解决方法">
                <i class="fa fa-chevron-left"></i> 服务器网站被CC攻击的解决方法
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/articles/css-top-right-bootom-left-zero.html" rel="prev" title="position:absolute-top,right,bottom,left为0使用">
                position:absolute-top,right,bottom,left为0使用 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </article>



    <div class="post-spread">
      
        <!-- JiaThis Button BEGIN -->
<div class="jiathis_style">
  <a class="jiathis_button_tsina"></a>
  <a class="jiathis_button_tqq"></a>
  <a class="jiathis_button_weixin"></a>
  <a class="jiathis_button_cqq"></a>
  <a class="jiathis_button_douban"></a>
  <a class="jiathis_button_renren"></a>
  <a class="jiathis_button_qzone"></a>
  <a class="jiathis_button_kaixin001"></a>
  <a class="jiathis_button_copy"></a>
  <a href="http://www.jiathis.com/share" class="jiathis jiathis_txt jiathis_separator jtico jtico_jiathis" target="_blank"></a>
  <a class="jiathis_counter_style"></a>
</div>
<script type="text/javascript" >
  var jiathis_config={
    hideMore:false
  }
</script>
<script type="text/javascript" src="http://v3.jiathis.com/code/jia.js" charset="utf-8"></script>
<!-- JiaThis Button END -->

      
    </div>
  </div>

          
          </div>
          


          
  <div class="comments" id="comments">
    
      <div id="cloud-tie-wrapper" class="cloud-tie-wrapper"></div>
    
  </div>


        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    <div class="sidebar-inner">

      

      

      <section class="site-overview sidebar-panel sidebar-panel-active">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
          <img class="site-author-image" itemprop="image"
               src="/images/avatar.jpg"
               alt="Sun Hao" />
          <p class="site-author-name" itemprop="name">Sun Hao</p>
          <p class="site-description motion-element" itemprop="description">Whoever wants to be first must be slave of all.</p>
        </div>
        <nav class="site-state motion-element">
        
          
            <div class="site-state-item site-state-posts">
              <a href="/archives">
                <span class="site-state-item-count">40</span>
                <span class="site-state-item-name">日志</span>
              </a>
            </div>
          

          
            <div class="site-state-item site-state-categories">
              <a href="/categories">
                <span class="site-state-item-count">19</span>
                <span class="site-state-item-name">分类</span>
              </a>
            </div>
          

          
            <div class="site-state-item site-state-tags">
              
                <span class="site-state-item-count">69</span>
                <span class="site-state-item-name">标签</span>
              
            </div>
          

        </nav>

        
          <div class="feed-link motion-element">
            <a href="/atom.xml" rel="alternate">
              <i class="fa fa-rss"></i>
              RSS
            </a>
          </div>
        

        <div class="links-of-author motion-element">
          
        </div>

        
        
          <div class="cc-license motion-element" itemprop="license">
            <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" class="cc-opacity" target="_blank">
              <img src="/images/cc-by-nc-sa.svg" alt="Creative Commons" />
            </a>
          </div>
        

        
        

        


      </section>

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright" >
  
  &copy; 
  <span itemprop="copyrightYear">2017</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Sun Hao</span>
</div>


<div class="powered-by">
  Erstellt mit  <a class="theme-link" href="https://hexo.io">Hexo</a>
</div>

<div class="theme-info">
  Theme -
  <a class="theme-link" href="https://github.com/iissnan/hexo-theme-next">
    NexT.Mist
  </a>
</div>


        

<div class="busuanzi-count">

  <script async src="https://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  
    <span class="site-uv"><i class="fa fa-user">本站访客数</i><span class="busuanzi-value" id="busuanzi_value_site_uv"></span>人次</span>
  

  
    <span class="site-pv"><i class="fa fa-eye">本站总访问量</i><span class="busuanzi-value" id="busuanzi_value_site_pv"></span>次</span>
  
  
</div>



        
      </div>
    </footer>

    <div class="back-to-top">
      <i class="fa fa-arrow-up"></i>
    </div>
  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  




  
  <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>

  
  <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>

  
  <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>

  
  <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>

  
  <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>

  
  <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.0"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.0"></script>



  
  

  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.0"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.0"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.0"></script>



  



  




	





  
    
    <script>
      var cloudTieConfig = {
        url: document.location.href, 
        sourceId: "",
        productKey: "68d47669d3794a958fbaaee9328b90f3",
        target: "cloud-tie-wrapper"
      };
    </script>
    <script src="https://img1.ws.126.net/f2e/tie/yun/sdk/loader.js"></script>
  







  
  
  <script type="text/javascript">
    // Popup Window;
    var isfetched = false;
    // Search DB path;
    var search_path = "search.xml";
    if (search_path.length == 0) {
      search_path = "search.xml";
    }
    var path = "/" + search_path;
    // monitor main search box;

    function proceedsearch() {
      $("body").append('<div class="popoverlay">').css('overflow', 'hidden');
      $('.popup').toggle();
    }
    // search function;
    var searchFunc = function(path, search_id, content_id) {
      'use strict';
      $.ajax({
        url: path,
        dataType: "xml",
        async: true,
        success: function( xmlResponse ) {
          // get the contents from search data
          isfetched = true;
          $('.popup').detach().appendTo('.header-inner');
          var datas = $( "entry", xmlResponse ).map(function() {
            return {
              title: $( "title", this ).text(),
              content: $("content",this).text(),
              url: $( "url" , this).text()
            };
          }).get();
          var $input = document.getElementById(search_id);
          var $resultContent = document.getElementById(content_id);
          $input.addEventListener('input', function(){
            var matchcounts = 0;
            var str='<ul class=\"search-result-list\">';
            var keywords = this.value.trim().toLowerCase().split(/[\s\-]+/);
            $resultContent.innerHTML = "";
            if (this.value.trim().length > 1) {
              // perform local searching
              datas.forEach(function(data) {
                var isMatch = false;
                var content_index = [];
                var data_title = data.title.trim().toLowerCase();
                var data_content = data.content.trim().replace(/<[^>]+>/g,"").toLowerCase();
                var data_url = decodeURIComponent(data.url);
                var index_title = -1;
                var index_content = -1;
                var first_occur = -1;
                // only match artiles with not empty titles and contents
                if(data_title != '') {
                  keywords.forEach(function(keyword, i) {
                    index_title = data_title.indexOf(keyword);
                    index_content = data_content.indexOf(keyword);
                    if( index_title >= 0 || index_content >= 0 ){
                      isMatch = true;
                      if (i == 0) {
                        first_occur = index_content;
                      }
                    }

                  });
                }
                // show search results
                if (isMatch) {
                  matchcounts += 1;
                  str += "<li><a href='"+ data_url +"' class='search-result-title'>"+ data_title +"</a>";
                  var content = data.content.trim().replace(/<[^>]+>/g,"");
                  if (first_occur >= 0) {
                    // cut out 100 characters
                    var start = first_occur - 20;
                    var end = first_occur + 80;
                    if(start < 0){
                      start = 0;
                    }
                    if(start == 0){
                      end = 50;
                    }
                    if(end > content.length){
                      end = content.length;
                    }
                    var match_content = content.substring(start, end);
                    // highlight all keywords
                    keywords.forEach(function(keyword){
                      var regS = new RegExp(keyword, "gi");
                      match_content = match_content.replace(regS, "<b class=\"search-keyword\">"+keyword+"</b>");
                    });

                    str += "<p class=\"search-result\">" + match_content +"...</p>"
                  }
                  str += "</li>";
                }
              })};
            str += "</ul>";
            if (matchcounts == 0) { str = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>' }
            if (keywords == "") { str = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>' }
            $resultContent.innerHTML = str;
          });
          proceedsearch();
        }
      });}

    // handle and trigger popup window;
    $('.popup-trigger').click(function(e) {
      e.stopPropagation();
      if (isfetched == false) {
        searchFunc(path, 'local-search-input', 'local-search-result');
      } else {
        proceedsearch();
      };
    });

    $('.popup-btn-close').click(function(e){
      $('.popup').hide();
      $(".popoverlay").remove();
      $('body').css('overflow', '');
    });
    $('.popup').click(function(e){
      e.stopPropagation();
    });
  </script>


  

  

  
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';        
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>


  


</body>
</html>
